Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

wintertargeter writes "Yeah, it's another article on security, but this time we finally get a complete picture. Tom's Hardware looks at WPA/WPA2 brute-force cracking with CPUs, GPUs, and Amazon's Nvidia Tesla-based EC2 cloud servers. Verdict? WPA/WPA2 is pretty damn secure. Now to wait for a side-channel attack. Sigh...."

I'm considering setting up WiFi in my small apartment so I don't have cables going all over the place. To PS3, printer, desktop and laptop. If I setup my computers for WPA2/AES and change the key on a regular basis, is this considered secure enough? The printer and PS3 won't be on 24/7 so no one can run through 500 pgs and a couple of toners on me.

Its difficult to figure out all the ongoing wireless standards and security when you don't work in the industry.

Just use keys longer than 23 chars , alphanumeric + special chars , and use a nonstandard SSID for the network (treat as a password, it's used to salt the key derived from your PSK). All this on WPA2/AES and you should be considered secure.

Like the quote in the article said its "more of a pinhole than a crack". It needs very specific circumstances and also need you to use TKIP vs AES. I'm not sure about as of today but in regarding to that article WPA with AES=secure.

The real problem isn't anything to do with WPA, its with companies like Verizon who in modern times have the stupidity to use WEP. If its not WPA2 compatible throw it in the garbage.

Ultimately the only solution is to have a segregated WiFi network. I've set one up in one of our offices, with the others to follow soon. If one our workers needs to access internal network resources from our WiFi network, he's got to do what he'd do if he was in a coffee shop or an airport, establish a VPN connection to the internal network. There simply isn't any other solution so far as I can tell. You have to treat WiFi as a potentially hostile entry point.

I hope you are doing the same or something similar with wired then. No locking switch ports by MAC address is not good enough. Dead easy to spoof the MAC address of the machine I unplugged to get my evil device in.

Nope, just had to chase a verizon man out of my server room a couple weeks ago.

The receptionist let him in because it said verizon on his jacket and someone kept letting him through doors after that. He was on the wrong floor and would have disconnected live equipment had I not chased him our with a rack rail.

Having a programmer pull double duty as a receptionist would be instant death to any company. Most programmers around here have that standard dry sarcastic humor that would probably cost the company money if we had to interact with real people. Great bunch to work with.

Whether or not he's been watching too much Burn Notice, Burn Notice is right about that one. You can get into about 90% of offices that way. It's actually happened (twice!) at mine, and the building is poorly designed (as recently as 20 years ago!), so improving security is difficult. Anything older than 15 years (pre-9/11) is probably similarly difficult to physically secure.

The building I work in was designed/built in 1971, and it's easy to physically secure... there's no actual office space on the ground floor (that's retail space that we rent out), and you need two keycards to actually get anywhere in the building: the building pass which you need to get past security after hours and use the elevators (retail space and elevators shut down from 6pm - 7am and on Sundays), and the office pass, which opens the doorway into your office area. More secure floors have a 2nd security

So far, so good. The tough part is that as an organization grows, it reaches a point where it will start to make sense to incorporate these additional expenses. But what triggers this decision? There's no automatic formula involved, and a growing organization has to carefully

No, actually, I'd say it's more that you have made the error of thinking that because it's dramatized it bears no resemblance to [csoonline.com] reality [csoonline.com]. Social engineering is a big [social-engineer.org] deal [cio.com], to the extent that in places where security is paramount it's a major component in vulnerability assessment and penetration testing.

The fact is that gaining physical access to active Ethernet RJ45 port is significantly more difficult than sitting outside an office and hacking into a WiFi network. Yes, you're right, physical security can be an issue, but it is a much more difficult target, and thus simply does not worry me as much. If your scenario were that common, then you'd best be considering the physical security of your servers. After all if a guy in coveralls can plug in a CAT5 cable, then surely he can make it into the server

Who's fault it is isn't relevant. If you're concerned with fault, you must be a manager rather than something useful. The goal is to keep things private and secure, not make sure you get to point the finger somewhere else. If you're pointing the finger, you've already failed even if you're too stupid to realize it.

Who's fault it is isn't relevant. If you're concerned with fault, you must be a manager rather than something useful. The goal is to keep things private and secure, not make sure you get to point the finger somewhere else. If you're pointing the finger, you've already failed even if you're too stupid to realize it.

This kind of thinking is, in my opinion, exactly opposite of good security. Companies who take a "Security is everybody's responsiblity!" attitude are doomed to fail. Something that is everybody's responsibility is no-one's responsibility. Being able to identify whose fault it is is a side effect of knowing whose responsibility it is. My responsibility to secure the network. The receptionist's responsibility to vet the people coming into the building. The facilities/security person's responsibility t

The problem is, deciding that nobody should care about security opens up a bunch of potential vulnerabilities.

Most companies have a side door that is accessible to employees with a badge. This is where we target to gain physical access to a building during a penetration test. Almost everyone will hold the door for you if you look busy and are reasonably respectable looking. Most companies can't afford to secure every door, or won't do it due to parking situations, etc.

I'd expect the server rooms to be considerably harder to access than general offices. After all, I've one been at a job interview where I was asked to solve some problem for a test. While I did so, the interviewers left the room. I think it wouldn't have been too hard to plug something into an Ethernet port during that time. OTOH, getting into the server room would not have been possible, especially not alone.

1. have you mother feign car trouble and ask to use the restroom2. while she's there, she leaves a remote-control smoke bomb in the trash.3. find a sysadmin that's out on vacation (?wtf, that can't be right?)4. make up a gift basket, hide some elemental sodium (hah! really?! Florida's pretty damn humid...) in it5. send gift basket (4) to absent sysdamin (3), where it gets left sitting in the server room until his return6. trigger smoke bomb (2)7. smoke (6) triggers sprinkers8. water from sprinklers (7) ignites elemental sodium (4) starting a two-alarm conflagaration9. sneak into gangster's warehouse disguised as fireman10. steal wifi

It's fairly common to have interviewers leave a room during a test. That doesn't mean you're not observed. There is a high chance that there is an inconspicuous camera pointed at you, to observe how you behave when you think you're alone. Anything from snooping to nasty personal habits can weigh in on whether you get a job offer, or what the job offer will be.

I'd actually argue that's probably untrue at most work sites. For example, in every one of the last 5 buildings I've worked in, sharing a ride in the right elevator could get you into an area with an rj45 port, whereas getting into the server room required passing a badge access door that was only used by 5 people who all knew each other, with an expectation that anyone else would be escorted.

The fact is that gaining physical access to active Ethernet RJ45 port is significantly more difficult than sitting outside an office and hacking into a WiFi network.

Easier than breaking WPA2? Nonsense.

Barring some newly-discovered weakness in the protocol (very unlikely at this point), breaking WPA2 essentially requires breaking AES or the public-key algorithm you're using for your 802.1x EAP-TLS certificates (no business would use PSK, right?). The only practical way to get in is to get hold of a client certificate by compromising a machine with access (e.g. a laptop). Unless of course your target keeps their client keys on password-protected smart cards. Then y

And when is the last time in your company that an outsider sporting nothing more than a handcart was given access to physical network resources? It simply isn ot in the same level of risk as a WiFi network.

I did refrigeration for 8-10 years. You can walk into just about anywhere. NOBODY EVER says anything, in fact of the 1000's of places I walked into, I don't think anyone ever challenged me. Maybe, 1 out of 20 times someone ask "can I help you?" I 'd say "I'm fine just here looking at the A/C" and then was totally ignored after that...

I respectfully disagree, it's very easy to put a policy in place which states that any visitor to the office needs to have a representative from within the company vouch for them and act as an escort on premises. If everyone knows the policy it's not very difficult to enforce, all it takes is proper training. It's a pretty small price to pay if your data is important enough to worry about it in the first place.

Again, I disagree, and I'll add that I'm basing this off of personal experience. With proper training any reasonable policy should be able to be implemented, the hard part is actually making sure that people are trained and understand the repercussions. "Hard" is the operative word, it's not "impossible," and can even be easy if you do it a lot. If you have important data, like medical records, credit card numbers, socials and people don't follow simple policies like that, then they should be terminated. If

Usually they can only get as far as the receptionist, unless they're able to social-engineer their way even farther. Although I have seen plenty of offices in which the reception area is open to the rest of the office and there is often no receptionist.

Dead easy to spoof the MAC address of the machine I unplugged to get my evil device in.

True. But that implies that you already have a security breach (even if that breach is a disgruntled employee or a bunch of employees wondering why the exterminator is hooking his laptop up to the network.) It's a lot easier to sit in the parking lot sniffing wireless traffic then it is to lob the weighted end of a long piece of CAT5 through an open 2nd story window and land it in an open port belonging to a machine that you've divined the MAC address for and spoofed.

It's not possible remotely. I'd like to know how a side channel attack could be executed against a wireless target? Magic? "Hey, do you mind if I hook up my oscilloscope to you router for a few hours? Why? No reason."

ANd I received every one of those scripts AND NOTHING BAD HAPPENED. And even if it did im fully backed up. If you have to run NoScript then you are doing things on a machine you shouldnt be browsing on , arent properly backed up, and are paranoid. NoScript IS NOT worth the hassle when i have to backup my data anyways.

In the earlier days of the internet, a lot of sites wouldn't accept passwords longer than eight characters or with spaces in them. I think because of the way they were saved. What's worse is that some sites would accept the password at registration, but filter it when signing in; thus locking out the user forever.

And nowadays there's too many sites that ask such nonsense as "Must be longer than 6, shorter than 10, have 3 numbers, one capital letter". My phone company asks

With respect to the "dictionary attack," as pointed out recently on XKCD, use of a few random words would be a lot tougher for a computer to figure out than random letters/numbers/characters put together.

Absolutely not. That XKCD comic was just fucking wrong. As usual with XKCD.

Raw entropy only matters when your search pattern is random.Any attack that hopes to succeed on non-trivial passwords on a non-astronomical time scale will not be using a random search pattern. It will be using a dictionary-based attack, and will try single words, 2 words, 3 words,... up to some length of characters, well before trying patterns like 7{`G2we7+_+1\aW/.

I think you're missing the point of the XKCD comic... There are around 3000 commonly used words in English (xkcd assumed 11 bits per word, or 2048 words). A 6 year old child has a vocabulary of between 2500 and 5000 words [wikipedia.org].

If user uses a 5 word password there are 3000^5 = 2.4E17 different combinations

This was really informative and good. If I were protecting valuable data, I'd use WPA and a 10-character pass and I'd be protected against hackers with today's leetest gear for the rest of the existence of the universe. That's actually a pretty amazing statistic given just how hackable everything else is these days. Well done, designers of WPA!

That's why my Wi-Fi router is protected with a 12-character (alphanumeric) password under WPA2 that is really hard to figure out. The chances are not good that a hacker could crack that 12-character password in a couple of hundred years using today's laptop hardware.